The ProMedica employee who was fired for accessing nearly 600 patient records at Bay Park hospital is now the focus of a criminal investigation. Oregon police Chief Mike Navarre said after speaking with ProMedica officials Friday that he is “very confident” the actions by the employee, whom he identified as a woman, were likely illegal.

“Based on what I was told today, I think it warrants a criminal investigation that will determine what laws were broken,” he said.

Chief Navarre said he will ask hospital officials for a copy of their internal investigation, which found that the woman had accessed 594 patient records between April 1, 2013, and April 1, 2014. He expects the criminal investigation of the security breach to take several weeks or months. He would not specify what charges the woman may face.

ProMedica officials refused to disclose why the employee violated the privacy of patients by looking at their personal information. They said the person responsible was not directly treating the patients.

“ProMedica Bay Park Hospital deeply regrets this incident and is fully cooperating with federal and legal authorities,” a hospital spokesman said in a statement. “There is no evidence that any financial information, including Social Security numbers, was accessed.

“As legally required, ProMedica Bay Park Hospital reported the event to the Department of Health and Human Services. ProMedica Bay Park Hospital intends to be transparent about the event as it has been thus far.”

The hospital completed its investigation of the incident and discovered the security breach on April 2 but did not notify the public until Wednesday, nearly two months later.

Hospital officials refused to disclose any information about the person involved in the incident, citing employee confidentiality concerns. The company notified federal health authorities about the data breach but did not contact local law enforcement, ProMedica officials said.

The chief said he was not made aware of the incident by the hospital system and that he is not sure if it is bound by law to report the incident to law enforcement agencies. At the same time, however, he expressed frustration about learning of the security breach from the news media.

“Imagine there is dead body and finding out about it a year later and starting your investigation a year later,” he said.

He added that even if his department’s investigation finds that the employee did not access financial information about patients, the woman could still face criminal charges for her actions.

In similar cases of hospital data breaches, the people responsible have faced federal criminal prosecution for identity theft and privacy-law violations. In 2012 an employee who accessed personal patient information at Northwestern Memorial Hospital in Chicago was charged with identity theft. In 2011, a former employee of the University of Pittsburgh Medical Center Shadyside near Pittsburgh pleaded guilty to violating the Health Insurance Portability and Accountability Act after stealing the personal information of patients there.